Safety PLCs program very much like standard PLCs do. All of the additional diagnostics and error checking mentioned earlier is done by the operating system, so the programmer is not even aware that it is happening. Most safety PLCs will have special instructions used to write the program for the safety system, and these instructions tend to mimic the function of their safety relay counterparts. For example, the Emergency Stop instruction in Figure 4.75 operates very much like an MSR 127. Though the logic behind each of these instructions is complex, the safety programs look relatively simple because the programmer simply connects these blocks together. These instructions, along with other logical, math, data
manipulation, etc. instructions are certified by a third party to ensure their operation is consistent with the applicable standards.
Function blocks are the predominant methods for programming safety functions. In addition to Function Blocks and Ladder Logic, safety plc's also provide certified safety application instructions. Certified safety instructions provide application specific behavior. This example shows an emergency stop instruction. To accomplish the same function in ladder logic would require approximately 16 rungs of ladder logic. Since the logic behavior is embedded in the E-Stop instruction, the embedded logic does not have to be tested.
Emergency Stop with Manual Reset
Channel 1 A Ouptut 1
Cycle Inputs Inputs Inconsistent Circuit Reset Held On Fault Present Channel 1 B
Circuit Reset Fault Reset
Figure 97: E-Stop Function Block
Certified function blocks are available to interface with almost all safety devices. One exception to this list is the safety edge that uses resistive technology. Here is an example of certified application instructions available in the GuardPLC.
1. Diverse (1 N.O. + 1 N.C.) Input with Auto Reset 2. Diverse (1 N.O. + 1 N.C.) Input with Manual Reset 3. Emergency Stop with Auto Reset
4. Emergency Stop with Manual Reset 5. Redundant (2 N.C.) Input with Auto Reset 6. Redundant (2 N.C.) Input with Manual Reset 7. Redundant Output with Positive Feedback 8. Redundant Output with Negative Feedback 9. Enable Pendant with Auto Reset
10. Enable Pendant with Manual Reset 11. Two Hand Run Station with Active Pin 12. Two Hand Run Station without Active Pin 13. Light Curtain with Auto Reset
14. Light Curtain with Manual Reset 15. Five Position Mode Selector 16. Single Pulse Test Output 17. Redundant Pulse Test Output
Safety PLCs generate a “signature” that provides the ability to track whether changes were made. This signature is usually a
combination of the program, input/output configuration, and a time stamp. When the program is finalized and validated, the user should record this signature as part of the validation results for future reference. If the program needs modification, revalidation is required and a new signature must be recorded. The program can also be locked with a password to prevent unauthorized changes.
Wiring is simplified with programmable logic systems as compared to monitoring safety relays. Unlike wiring to specific terminals on monitoring safety relays, input devices are connected to any input terminals and output devices are connected to any output terminals. The terminals are then assigned through software.
Integrated Safety Controllers
Safety control solutions now provide complete integration within a single control architecture where safety and standard control functions reside and work together. The ability to perform motion, drive, process, batch, high speed sequential, and SIL 3 safety in one controller provides significant benefits. The integration of safety and standard control provides the opportunity to utilize common tools and technologies which reduce costs associated with design, installation, commissioning and maintenance. The ability to utilize common control hardware, distributed safety I/O or devices on safety networks and common HMI devices reduce purchase and maintenance costs, and also reduce development time. All of these features improve productivity, the speed associated with
troubleshooting and the lowering of training costs due to commonality.
Figure 98 shows an example of the integration of control and safety. The standard non-safety related control functions reside in the Main Task. The safety related functions reside in the Safety Task.
Integrated Tasks
Figure 98: Integrated Safety and Nonsafety Tasks
All standard and safety related functions are isolated from each other. Figure 99 shows a block diagram of allowed interaction between the standard and safety portions of the application. For example, safety tags can be directly read by the standard logic. Safety tags can be exchanged between GuardLogix controllers over EtherNet, ControlNet or DeviceNet. Safety tag data can be directly read by external devices, Human Machine Interfaces (HMI), personal computers (PC) or other controllers.
Protective Measures and Complementary Equipment
7 Standard Tasks Standard Pgms Std Routines Program Data Safety Task Safety Pgms Safey RoutinesProgram Safety Data
Controller Standard Tags Controller Safety Tags
Standard Tasks
Standard Pgms Std Routines
Program Data
Controller Standard Tags
2 2 6 11 4 3 51 7
Figure 99: Standard and Safety Task Interaction
1. Standard tags and logic behave the same as ControlLogix. 2. Standard tag data, program or controller scoped and external
devices, HMI, PC’s, other controllers, etc.
3. As an integrated controller, GuardLogix provides the ability to move (map) standard tag data into safety tags for use within the safety task. This is to provide users the ability read status information from the standard side of GuardLogix. This data must not be used to directly control a SIL 3 output.
4. Safety tags can be directly read by standard logic. 5. Safety tags can be read or written by safety logic.
6. Safety tags can be exchanged between GuardLogix controllers over EtherNet.
7. Safety tag data, program or controller scoped can be read by external devices, HMI’s, PC’s, other controllers, etc. Note, once this data is read, it is considered standard data, not SIL 3 data.
Safety Networks
Plant floor communication networks have traditionally provided manufacturers the capability to improve flexibility, increase diagnostics, increase distance, reduce installation & wiring cost, ease maintainability and generally improve the productivity of their manufacturing operations. These same motivations are also driving the implementation of industrial safety networks. These safety networks allow manufacturers to distribute safety I/O and safety devices around their machinery using a single network cable, reducing installation costs while improving diagnostics and enabling safety systems of increased complexity. They also enable safe communications between safety PLCs / controllers, allowing users to distribute their safety control among several intelligent systems. Safety networks do not prevent communication errors from occurring. Safety networks are more capable of detecting transmission errors and then allow safety devices to take the appropriate actions. Communication errors that are detected include: message insertion, message loss, message corruption, message delay, message repeat, and incorrect message sequence. For most applications, when an error is detected the device will go to a known de-energized state, typically called a “safety state.” The safety input or output device is responsible for detecting these communication errors and then going to the safe state if appropriate.
Early safety networks were tied to a particular media type or media access scheme, so manufacturers were required to use specific cables, network interface cards, routers, bridges, etc. that also became part of the safety function. These networks were limited in that they only supported communication between safety devices. This meant that manufacturers were required to use two or more networks for their machine control strategy (one network for standard control and another for safety related control) increasing installation, training and spare parts costs.
Modern safety networks allow a single network cable to communicate with safety and standard control devices. CIP (Common Industrial Protocol) Safety is an open standard protocol published by ODVA (Open DeviceNet Vendors Association) that allows for safety communications between safety devices on DeviceNet, ControlNet and EtherNet/IP networks. Because CIP Safety is an extension to the standard CIP protocol, safety devices and standard devices can all reside on the same network. Users can also bridge between networks containing safety devices, allowing them to subdivide safety devices to fine-tune safety response times, or to simply make distribution of safety devices easier.. Because the safety protocol is solely the responsibility of the end devices (safety PLC / controller, safety I/O module, safety component), standard cables, network interface cards, bridges, and routers are used, eliminating any special networking hardware and removing these devices from the safety function.
Figure 100 shows a simplified example of a distributed I/O system. The operator opens the gate. The interlock switch, connected to the local Safety I/O block, sends its safety data over the DeviceNet network to the Safety PLC. The Safety PLC sends a signal back to the Safety I/O block to shut down the equipment inside of the gate and sends a standard output to a stack light to annunciate the gate is open. The HMI and the standard PLC monitors the safety data for display and additional control measures, like performing a cycle stop of adjacent equipment.
Standard PLC Safety PLC DeviceNet Safety I/O Block Human Machine Interface
Figure 100: Example of a Simple Distributed Safety Network
For larger manufacturing systems, where safety information and control must be shared, Ethernet/IP can also be used. Figure 101 shows an example of communications between two safety
controllers while DeviceNet is used for local distribution of I/O within a smaller subsystem.
Protective Measures and Complementary Equipment
Output Devices
Safety Control Relays and Safety Contactors
Control Relays and Contactors are used to remove power from the actuator. Special features are added to control relays and contactors to provide the safety rating.
Mechanically linked normally closed contacts are used to feed back the status of the control relays and contactors to the logic device. The use of mechanically linked contacts helps ensure the safety function. To meet the requirements of mechanically linked contacts, the normally closed and the normally open contacts cannot be in the closed state at the same time. IEC 60947-5-1 defines the requirements for mechanically linked contacts. If the normally open contacts were to weld, the normally closed contacts remain open by at least 0.5mm. Conversely, if the normally closed contacts were to weld, then the normally open contacts remain open. If the product meets this requirement, the symbol shown in Figure 102 is applied to the product.
Safety systems must only be started at specific locations. Standard rated control relays and contactors allow the armature to be depressed to close the normally open contacts. On safety rated devices, the armature is protected from manual override to mitigate unexpected startup.
On safety control relays, the normally closed contact is driven by the main spanner. Safety contactors use an adder deck to locate the mechanically linked contacts. If the contact block were to fall off the base, the mechanically linked contacts remain closed. The
mechanically linked contacts are permanently affixed to the safety control relay or safety contactor.
On the larger contactors, an adder deck is insufficient to accurately reflect the status of the wider spanner. Mirrored contacts, shown in Figure 103 are located on either side of the contactor are used.
RSLogix RSView
ControlNet
CIP Safety - ControlNet CIP Safety - DeviceNet EtherNet I/P
CIP Safety - EtherNet I/P DeviceNet
DeviceNet
DeviceNet DeviceNet
EtherNet
Figure 101: Example of a Complex Distributed Safety Network
Window inhibits access to armature Symbol for mechanically
linked contacts
Figure 102: Mechanically Linked Contact Symbol
Mirrored Contacts